Nginx – Which permissions should I set to dhparam.pem

chmodnginxopensslssl

I am generating Diffie-Hellman parameters for the ssl_dhparam directive in the SSL configuration of nginx.

The file dhparam.pem is created with the command openssl dhparam 2048 -check -out dhparam.pem.

Which permissions should I set to this file? Is it safe to share in a git repository or should I keep it private?

Best Answer

The dhparam file contains the prime which defines the group for the DH key exchange. It is not a secret, and will be sent in clear during the key exchange, so there is no point in trying to keep it secret.

As for file permissions: nginx needs to read them, and an attacker must not be able to edit them. It may depend on your setup, but setting owner and group to root and permissions to 644 should work.

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

After more research it seems like another (possibly better way) to answer this would be to setup the www folder like so.

sudo usermod -a -G developer user1 (add each user to developer group)
sudo chgrp -R developer /var/www/site.com/ so that developers can work in there
sudo chmod -R 2774 /var/www/site.com/ so that only developers can create/edit files (other/world can read)
sudo chgrp -R www-data /var/www/site.com/uploads so that www-data (apache/nginx) can create uploads.

Since git runs as whatever user is calling it, then as long as the user is in the "developer" group they should be able to create folders, edit PHP files, and manage the git repository.

Note: In step (3): '2' in 2774 means to 'set Group ID' for the directory. This causes new files and sub directories created within it to inherit the group ID of the parent directory (instead of the primary group of the user) Reference: http://en.wikipedia.org/wiki/Setuid#setuid_and_setgid_on_directories

Nginx – Should I set diffie helman parameters for nginx ssl

Should I generate and set these parameters?

Yes.

Does it have any influence on [the] security...of ssl?

Yes, when enabling Perfect Forward Secrecy. An appropriate ciphersuite must also be configured.

If a future attacker compromises your TLS, with PFS past traffic they intercepted and retained still cannot be decrypted.

Generate a DHE prime no smaller than your SSL certificate RSA private key. Given a 2048 bit private key:

$ openssl dhparam -out dhparam.pem 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
..+..+...............+

Does it have any influence on [the]...computational load of ssl?

Too little to worry about.

conventional wisdom that TLS is slow is outdated
the advantage of PFS outweighs the cost
TLS is well handled by modern CPUs; adding DH has a minor incremental cost compared to the total cost of TLS
this cost is only incurred during the TLS handshake; a well-tuned TLS does the handshake infrequently or otherwise reduces the cost with session resumption, false-start, OCSP stapling, and more

Google I/O 2014 had a good HTTPS Everwhere talk which covered these and related topics in a broad fashion.

Best Answer

Related Solutions

Linux – How to Set Up Permissions for the WWW Folder

Nginx – Should I set diffie helman parameters for nginx ssl

Related Topic